Web Content Filtering with OpenDNS

Once in a while, you come across a gem that you just want to share with others. I recently stumbled upon OpenDNS, and I've had such a good experience with it, I thought I'd write a bit about it. For the record, I have no affiliation with OpenDNS, except that I'm a happy user of this free service.

I week or so ago, I volunteered to do some networking for a small local church that runs a coffee shop as a community outreach program. In addition to having the best coffee in town, the church wanted to provide free Wi-Fi. But, because this is primarily a church outreach, the project leaders obviously were concerned about being able to filter inappropriate Web activity. My plan was to install a WRT54 router and flash it with DD-WRT or OpenWRT, so that I could install a content filter such as DansGuardian. I wasn't very excited about having to maintain the content blocking mechanism though. Content blocking is a difficult, sometimes ugly job, and the church didn't have a budget to pay for even an inexpensive filtering service.

While researching the final configuration, I came upon a link to OpenDNS. I like “Open” and I like “DNS,” so I clicked on the link out of curiosity, never expecting that this service would be a simple and complete solution to my content filtering problem. OpenDNS is a free service that enables you to block content you deem inappropriate at the DNS level. There's no need for any proxy configuration on either the client or the server. All you have to do is arrange for your servers and clients to use the OpenDNS DNS servers instead of the DNS servers provided by your Internet provider. Once that is done, if users try to access a Web site that provides inappropriate content, they are redirected to an OpenDNS Web site that tells them the site has been blocked and why.

OpenDNS categorizes content into more than 50 categories that can be blocked on an individual basis. In addition to the obvious categories, OpenDNS also can block video sharing, classifieds, games, p2p and so on. The categories are pretty self-explanatory, and the Web site is easy to use. By selecting which categories to block, you can implement almost any content filtering policy you can imagine. In fact, the Web site indicates that this service is targeted at corporations and schools that can't afford to...um...expose themselves to potential litigation.

If the established categories are too restrictive, or too broad, OpenDNS provides a whitelist and blacklist capability that can be applied to individual domains. For example, I had created a policy for the church that blocked access to all video sharing sites, only to find that the Pastor uses YouTube to download teaching materials. So the solution was to keep the video sharing block in place, but to whitelist youtube.com explicitly. This was a simple operation that I performed while he watched.

To start using OpenDNS, you have to sign up as a user. You then associate networks to your user account, and each network can have a separate filtering policy. Once I had signed up, I created a separate policy for the church, for my home and for my business. The OpenDNS servers use the source IP address of each DNS request to determine from which network the request comes and, thus, which policy to apply to the request. If the name resolution request is for a site that isn't being blocked, OpenDNS returns the appropriate address just like any other DNS server. On the other hand, if the request is for a domain that provides content contrary to the policy in effect, the OpenDNS server returns an address that points to a Web site explaining that the request has been blocked.

Another nice bonus to using OpenDNS is that it fixes mistyped URLs. For example, if you try to visit http://www.google.con (note the last character of the name is an “n” and not an “m”), OpenDNS is smart enough to figure out that you really meant to go to a search engine, not a “con” engine. OpenDNS simply redirects your request, and you end up where you intended to be. If you try to visit http://www.google.gov, OpenDNS knows that there is no such domain name and presents you with a list of suggested destinations. It works amazingly well.

If that wasn't enough, it has one more interesting feature: shortcuts. The shortcut feature allows you to define mnemonic shortcuts for Web sites you use frequently. For example, I created a shortcut, “gg”, that takes me to Google. So all I have to do is type two gs on the URL toolbar and press Enter, and soon enough, I'm at Google. You even can map a shortcut to a more complex URL, including full path or cgi form parameters.

The OpenDNS Web site claims that because its servers are geographically distributed, OpenDNS can make Web sites load noticeably faster. I can't honestly say it seems that much faster, but it sure isn't any slower (even though it's enforcing a content filtering policy with each request). The transition to OpenDNS was completely seamless, and in normal, appropriate browsing, you'd never know the difference.

I don't think anyone would be surprised to hear that OpenDNS also provides detailed statistics and graphs that show where your users are trying to go on the Internet. By clicking on the STATS tab on the OpenDNS Web site's dashboard, you can get a list of all the domains that were resolved for your networks by OpenDNS, and which ones were blocked according to your filtering policy. You also can see graphs showing how many requests were made each hour or each day.

As mentioned previously, when you try to access a Web site that violates policy, you are redirected to an OpenDNS Web site explaining that the site you tried to access has been blocked because it belongs to one or more blocked categories. You also are presented with a couple innocuous advertisements; these ads are the ONLY way OpenDNS makes money. It's ironic that the more people violate your filtering policy, the more money OpenDNS makes! For the most part though, OpenDNS is completely unintrusive and most users will never know they are using it.

Configuring my servers to use OpenDNS was easy. I simply modified my /etc/resolv.conf file and replaced the nameserver entries that were there with:

nameserver 208.67.222.222
nameserver 208.67.220.220

However, you have to configure your DHCP client to not overwrite the /etc/resolv.conf file with DNS information from the DHCP server. This is well documented in the manual, but might not be something you'd think about.

I use DHCP to point my home clients to my main DNS server for name resolution services, where I run bind. So, in order to get my name server to use OpenDNS, I changed /etc/bind/named.conf to contain a paragraph like this:

options {

forwarders {

208.67.222.222;

208.67.220.220;

};

}

On the other hand, if I wanted to point my DHCP clients directly to OpenDNS, I'd change /etc/dhcp/dhcpd.conf so that it contained a line like the following:

option domain-name-servers 208.67.222.222, 208.67.220.220;

If you're using a consumer-grade router as your Internet gateway, configuring it to use OpenDNS is usually trivial.

One final configuration note is in order though. In a potentially hostile network environment, such as a public Wi-Fi cafe like the one I described earlier, you MUST configure a firewall that blocks DNS traffic to any address other than the OpenDNS servers. Otherwise, you may find yourself telling a church Pastor that no one can access porn on his network, only to find out that they can—I don't even want to be in the same room when that demonstration fails.

So there you have it. If you spend about five minutes doing configuration work, you'll have the beginnings of a very solid content filtering capability, and it won't cost you a dime.

______________________

Mike Diehl is a freelance Computer Nerd specializing in Linux administration, programing, and VoIP. Mike lives in Albuquerque, NM. with his wife and 3 sons. He can be reached at mdiehl@diehlnet.com

I switched to OpenDNS a couple of weeks ago and have found DNS lookup faster than the DNS servers that Comcast provide. The main reason I looked into OpenDNS was that DNS lookup with Comcast server suddenly, over night, became incredible slow on all linux boxes (CentOS 5, Fedora 10) but for some reason the windows (XP pro) was unaffected. A connection speed test showed no difference in connection speeds and yum from the command line worked as usual. Knowing from experience that Comcast (at least here) has reasonable good hardware but horrible technical support I simply switched to OpenDNS and saw improvement in DNS lookup spped.

Previously the internet connection was done through the Centos server running Squid, which allowed for an inspection of internet traffic. This was lost when we added a wireless network that wasn't run through the CentOS server. OpenDNS filtering was a nice and quick way to deal with blocking of sites - not that it was a big problem to begin with.

With Comcast the IP address doesn't change even after rebooting but CentOS plus a UPS is stable enough to run for years. I did have to shut down when hurricane Ike passed through.

Content blocking, as opposed to putting a speedbumps in the way, is actually a really hard problem, especially with uncontrolled endpoints as you have with free Wifi. Just off the top of my head, some workarounds that come to mind are 1) using Google (or archive.org, or Yahoo, or Webcitation, or...) to viewed cached copies of otherwise blocked pages
2) Using one of the numerous web DNS services out there ( a quick google shows lots, including network-tools.com) to find out the IP address, then entering it directly.

I'm sure with a bit more thought anyone could up with lots more. This doesn't seem particularly Linux-related, or that well thought out; actually, it reads more like an advertisement for OpenDNS (which doesn't seem that open, frankly). What's it doing in Linux Journal?

Question: How useful, or usable, is OpenDNS if your home
network address changes frequently?

We use a farily simple safeguard in our house. We unplug the
home network router's uplink when we don't want anyone to have
unsupervised access. Unfortunately, when you plug it back in
later, you get a new IP address for the router.

So, how does one subscribe to OpenDNS if you can't state what
your source IP is going to be? Do you just have to update
your IP on file everytime it changes? Is there a script available
to auto-update your OpenDNS account's source IP data when it
changes?

It is a great DNS service and I use it every day. The only nitpick I have with it, though, is that it redirects mistyped domains to it's search guide instead of the traditional NXDOMAIN, so instead of the browser's "Server not found" page with the misspelled URL in the address bar, you get

http://guide.opendns.com/?url=baddomain.com

that you have to correct. Not a big deal, but one of life's smaller annoyances.

The downside to this idea, unless I missed something, is that users can still get around the filter by going direct to the source. So even though you've blocked pr0n-is-us.com, one can still get there by using the IP. There is a definite advantage to having your own content filter. This may still be practical in some areas, so long as you understand the limitations.

Even if they change the nameservers (and your firewall can't block DNS port, like the Linksys RV082... sad), you can use a transparent caching proxy server. The proxy, if using a redirector like Squidguard, can even block IP addresses in the URL. We use this at a K12 school, and it works great!